Sub-Processor Management

Overview

GDPR Article 28(2) establishes that a processor shall not engage another processor (sub-processor) without prior specific or general written authorisation of the controller. Where general authorisation is granted, the processor must inform the controller of any intended changes concerning the addition or replacement of sub-processors, giving the controller the opportunity to object. This creates an ongoing management obligation that extends through the entire processing chain.

The EDPB Guidelines 07/2020 (paragraph 93) emphasize that the controller's Article 28(1) due diligence obligation extends to oversight of sub-processor arrangements, and that the processor remains fully liable for the sub-processor's compliance.

At Summit Cloud Partners, the Sub-Processor Management Program ensures visibility and control over the entire processing chain for all vendor relationships involving personal data.

Authorization Models

Model A: Prior Specific Authorization

Under this model, the controller individually approves each sub-processor before engagement.

When to Use:

• High-risk processing (special category data, large-scale processing, cross-border transfers)
• Processing involving sensitive industries (healthcare, financial services)